COMPUTER FORENSICS AND CYBER SECURITY

MSC DCT Lesson 2

Course outline
Digital Evidence (EA)
Requirements for digital evidence Admissibility of electronic evidence Preparing for collection of digital evidence Forensic examination of computers and digital electronic media

Preparing for collection of evidence

Assess the reliability of commonly used tools. Error rates exist for the analysis? Can another tool be used to substantiate the findings?

Records
Through every step of the procedure, it is crucial to record and document everything that is done and everything that is used.
This ensures that the procedure is repeatable.

Records
What to record:
Who initially reported the suspected incident along with the time, date, and circumstances surrounding the suspected incident. Details of initial assessment leading to the formal investigation. Name of all persons conducting the investigation.

Records
More of what to record:
The case number of the incident. Reasons for the investigation. A list of all computer systems included in the investigation, along with complete system specifications. Network diagrams. Applications running on the computer systems previously listed.

Records
More of what to record:
A copy of the policy or policies that relate to accessing and using the systems previously listed. A list of administrators responsible for the routine maintenance of the system. A detailed list of steps used in collecting and analyzing evidence. An access control list of who had access to the collected evidence at what date and time.

Evidence Collection
Steps:
Find the evidence Find the relevant data Create an order of volatility Remove external avenues of change Collect the evidence Document everything

Evidence Collection
Find the evidence:
Determine where the evidence you are looking for is stored. Use a checklist to double check that everything you are looking for is there.

Evidence Collection
Find the relevant data:
Once youve found the data, you need to figure out what part of it is relevant to the case. In general you should err on the side of overcollection.

Evidence Collection
Create an order of volatility:
Now that you know exactly what to gather, work out the best order in which to gather it. Ensures that you minimize loss of uncorrupted evidence.

Evidence Collection
Remove external avenues of change:
It is essential that you avoid alterations to the original data. Preventing anyone from tampering with the evidence helps you to create as exact an image as possible.

Evidence Collection
Collect the evidence:
Collect the evidence using the appropriate tools for the job. As you go, re-evaluate the evidence youve already collected. You may find that you missed something important.

Evidence Collection
Document everything:
Your collection procedures may be questioned later, so it is important that you document everything that you do.

Digital Evidence vs. Physical Evidence

It can be duplicated exactly and a copy can be examined as if it were the original.
Examining a copy will avoid the risk of damaging the original.

With the right tools it is very easy to determine if digital evidence has been modified or tampered with by comparing it with the original.

Digital Evidence vs. Physical Evidence

It is relatively difficult to destroy.
Even if it is deleted, digital evidence can be recovered.

When criminals attempt to destroy digital evidence, copies can remain in places they were not aware of.

Collecting and Preserving Digital Evidence

The focus of digital evidence is on the contents of the computer as opposed to hardware. Two kinds of copies:
Copy everything. Just copy the information needed.

When there is plenty of time and uncertainty about what is being sought, but a computer is suspected to contain key evidence, it makes sense to copy the entire contents.

Collecting and Preserving Digital Evidence

General concepts when collecting entire contents:
All related evidence should be taken out of RAM. The computer should be shut down. Document the hardware configuration of the system. Document the time and date of the CMOS. The computer should be booted using another operating system that bypasses the existing one and does not change data on the hard drive(s). A copy of the digital evidence from the hard drive(s) should be made.

Collecting and Preserving Digital Evidence

When collecting the entire contents of a computer, a bit stream copy of the digital evidence is usually desirable.
A bit stream copy copies what is in slack space and unallocated space, whereas a regular copy does not.

Duplication and Preservation of Evidence

Make bit stream back-ups of hard disks and flash disks. Tools to accomplish this:
Encase DD (Disk Dump) Byte back Safeback

Note the tool used When making the bit stream image, note and document how the image was created. Also note the date, time, and the examiner

Duplication and Preservation of Evidence

Rule of thumb:
If you only make one copy of digital evidence, that evidence will be damaged or completely lost.

Computer Image Verification

At least two copies are taken of the evidential computer. One of these is sealed in the presence of the computer owner and then placed in secure storage. This is the master copy and it will only be opened for examination under instruction from the Court in the event of a challenge to the evidence presented after forensic analysis on the second copy.

Collecting and Preserving Digital Evidence

In a UNIX environment:
Running programs as contained in the RAM ps or ps-aux command gcore program allow saving and viewing contents of RAM in some UNIX based OS(s) lsof List of files and sockets that a particular program is utilizing dd making bit stream backup

Collecting and Preserving Digital Evidence

What to label on a disk containing digital evidence:
Current date and time and the date/time on the computer (any discrepancy should be noted). The initials of the person who made the copy. The name of the operating system. The program(s) and/or command(s) used to copy the files.
Retain copies of software used.

The information believed to be contained in the files.

Ensuring Evidence Integrity

Involves controlling contamination of the evidence The chain of custody:
Once the data has been collected, it must be protected from contamination. Originals should never be used in forensic examination verified duplicates should be used.

Ensuring Evidence Integrity

Analysis:
Once data has been successfully collected, it must be analyzed to extract the evidence you wish to present and rebuild exactly what happened. You must make sure to fully document everything you do your work will be questioned and you must be able to show that your results are consistently obtainable from the procedures you performed.

Ensuring Evidence Integrity

Time
To reconstruct the events that led to your system being corrupted, you must be able to create a timeline. Log files use time stamps to indicate when an entry was added, and these must be synchronized to make sense.

Ensuring Evidence Integrity

Forensic Analysis of backups:
When analyzing backups it is best to have a dedicated host for the job. This examination host should be secure, clean, and isolated from any network. Document everything you do, ensure that what you do is repeatable and capable of always giving the same results.

Ensuring Evidence Integrity

Message Digests:
A message digest always produces the same number for a given input. A good message digest algorithm will produce a different number for different inputs. Therefore, an exact copy will have the same message digest as the original but if a file is changed even slightly it will have a different message digest from the original.

Ensuring Evidence Integrity

Message Digests:
Message digests provide a method of near individualization and therefore, are sometimes referred to digital fingerprints. Message digests are also useful for determining if a piece of digital evidence has been tampered with.